Third-party software can be problematic. Just ask American Airlines, which recently experienced an issue with its iPad-based electronic flight bags. A misconfiguration in third-party mapping software caused the devices to crash when pilots tried to access a specific map, in turn delaying flights and frustrating crew members. Thankfully, the issue wasn't malicious, but it does highlight the need for effective vendor management when it comes to rolling out enterprise-grade software. Based on a recent Veracode whitepaper, here are five best practices to help improve overall security and lower the chance of fatal code flaws:
Fewer than one in five enterprises conduct security assessments with third-party vendors. Why? In large part, it's because they don't speak the same language. Enterprises have a set of governance, risk and compliance (GRC) terms that often bear little resemblance to those of a vendor — and each vendor a company partners with has its own way of looking at its product and security. Bottom line? Improving application security starts by defining what matters. First, identify all third-party vendors in the software supply chain. Then, communicate what type of security testing is expected, which services must be used and how reports must be presented. By getting everyone on the same page to start, there are fewer complications down the road.
Next step? Make expectations clear. It's best to do this through in-person meetings between an enterprise C-suite member and the highest-level stakeholder at a third-party vendor. This eliminates the need to move information up the chain of command, removing the possibility of misinterpretation or empty assurances. The goal here is to communicate detailed expectations along with the ancillary benefits of compliance; if a vendor lives up to its word, the result may be speedier contract renewals or preferred status among other partners.
The third step in effective vendor management is to open the floor and let software developers ask questions, allowing them to get into the nitty-gritty details of new security expectations. Some may be concerned about access to source code, while others may worry about the impact of new security protocols on project timelines. Here, two aims can be achieved. First, vendors can be provided all the knowledge necessary to follow GRC guidelines. Second, enterprises can clearly mark out expectations of access to source code and development procedures, and get firm commitments from vendors that state their agreement to comply at each step.
Of course, assurance alone isn't enough; enterprises must test and retest applications to ensure vendors are meeting their security goals. Best done in a non-live environment so there's no risk to sensitive corporate data, this gives companies a chance to identify high-priority vulnerabilities (anything on the OWASP Top 10, for example). Depending on what's discovered, enterprises can either send back code for improvements or add their own intermediate fixes to prevent more serious breaches. It's in this step that vendors really prove their mettle, and those committed to security will rise to the top. To make this step easier, Veracode has created VAST, a cloud-based vendor application security testing program that combines people, processes and technology to deliver a clear picture of software security on demand.
Not all third-party vendors are created equal. Many will find their own ways to improve application security outside of direct enterprise mandates, and these efforts should be both allowed and acknowledged. Other vendors may simply need extra assistance, especially if they supply specialty peripherals and coding is not their strongest suit. This also gives enterprises the ability to identify vendors that simply aren't a good fit and replace them with more security-minded alternatives.
Vendor management can make or break enterprise IT security efforts; the best practices above form a great starting point from which you can improve vendor relationships and end results.
Want to dig deeper? Download Veracode's full whitepaper on best practices for vendor application security management here.
Photo Source: StockSnap